The following procedures document how to create the entries in the directory to support a virtual host. The procedures show you how to create ldif files to use with ldapmodify to make the entries, but you may use the Deja tool instead. At the end of the section, there is an example ldif file with all of the entries you would make if you follow each procedure.
The examples in the procedures use the most complicated case: a virtual host with its own, unique set of subscribers who have personal directories for web and FTP content. The configuration you use may be less complicated, and may not require all of these procedures.
You only need to create these directory entries if you need to authenticate subscribers against the directory. If subscribers never authenticate with the FTP or web server (or any other service you may add that authenticates users against the directory), you do not need special entries in the directory.
The examples in the procedure will assume the following sample data:
There is a virtual domain called smallorg.com
.
There is one virtual host in the domain, www.smallorg.com
(111.112.113.14) , which subscribers
use for web site content.
The site is also configured as a Sun Internet FTP Server virtual FTP site so that users may upload content using FTP.
The virtual domain is for an organization with multiple subscribers.
Subscribers are authenticated only in the virtual domain, not as subscribers to the main ISP organization.
The root directory of the virtual FTP site and web site is /var/hosts/smallorg/public/.
Each subscriber has a directory directly beneath the root directory (/var/hosts/smallorg/public/username/).
The name of the hosting ISP is "myISP," and it is represented in the OSI tree in the directory as the naming
context o=myISP,c=US
.
The entries in the DC tree allow services to map the virtual host DNS name to an area in the OSI tree where service configuration and subscriber data is stored.
By default, the DC tree contains a top level dc=com
node representing the .com
top-level
DNS domain. Each host is represented by a chain of dc nodes that are children of the top node. For example, www.sun.com
would be represented as dc=www,dc=sun,dc=com
.
If you need to add hosts that are not in the .com
domain, you will need to create another naming context (for example,
a top-level dc=net
node). See "Adding More Top-level Domains" for more help with creating a new naming context.
Determine the name of each virtual host subscribers may authenticate on.
You only need to configure the hosts that will use the directory to authenticate users.
In this example, we will use one host: www.smallorg.com
If there is no naming context for the top-level domain for the virtual host, create one.
You can view the current naming contexts using Deja or by using the web gateway (if it is enabled) .
If there is no dc=com
domain, for example, you will need to create one before www.smallorg.com
can be added. See "Adding More Top-level Domains" for more help with creating a new naming context.
Determine the distinguished name (dn) of the node in the OSI that contains the subscribers who use this host.
This will be the associatedName
attribute on the dc entry for the host.
This example assumes that the domain smallorg.com
has its own unique set of subscribers. The entries may not exist
in the directory yet, but they will be created later. The dn in the OSI tree will be ou=SmallOrg,o=myISP,c=US
.
Create a text file for the ldif entries.
For example, /tmp/smallorg.ldif.
For each dc node you need to add, create an ldif entry naming the dn (dc=name), the objectclass
(domain
), dc
, and the associatedName
in the OSI tree.
For our example, we need to add dc nodes for smallorg (beneath com) and www (beneath smallorg). The dc=www
node
needs to point to the proper place in the OSI tree so that the correct users can log in to that host.
dn: dc=smallorg,dc=com dc: smallorg objectclass: domain dn: dc=www,dc=smallorg,dc=com dc: www objectclass: domain associatedname: ou=SmallOrg,o=myISP,c=US
Save the file.
You may run ldapadd now to add the entries, or continue with the other procedures and add all of the required ldif entries to the file first.
To run ldapadd on the host where the Solaris ISP Server directory server is running:
% cd /opt/SUNWconn/bin % ./ldapadd -D cn=admin,o=myISP,c=US -w secret -f /tmp/smallorg.ldif |
Continue with the procedure in "Entries in the OSI Tree".
The OSI tree must contain entries for the subscribers who will be authenticated on the virtual host.
The virtual host or virtual domain does not need to have its own set of subscribers; the virtual host services can authenticate users against
the general ISP subscriber base. If you wish to have users authenticated against the general ISP subscriber base, make the associatedName
attribute on the dc
entries in the DC tree point to the top DN in the OSI tree (for example, ou=myIsp,c=US
).
If you create a new domain in the OSI tree, you need to create an organizationalUnit
(ou
)
node naming the domain with an associatedDomain
attribute that points to the proper domain or host name in the DC tree.
Below the virtual domain ou
, you need to create ou
nodes for People (to contain ispSubscriber
entries), Groups, and Services (to contain ispService
entries). Populating the People and
Services portions of the tree is explained in "Entries for Users for the Domain" and "Entries for Services in the Domain" below.
The procedure below uses a virtual host with its own set of subscribers. Since these subscribers are unique to the virtual domain, we need
to create an ou
node in the OSI tree for the domain and set its associatedDomain
attribute to
the name of the virtual domain in the DC tree.
Determine the distinguished name for the domain in the OSI tree. The distinguished name includes the ou
node for the domain, and all of the parents of that node in the tree.
In this procedure we will create a domain directly below a top distinguished name of o=myISP,c=US
. The dn of the
domain is ou=SmallOrg,o=MyISP,c=US
.
Since we have only one host in the example, we could be more specific and use ou=www,ou=SmallOrg,o=MyISP,c=US
.
By only specifying the domain, it is possible to add more virtual hosts to the domain later that use the same subscribers (for example, if mail.smallorg.com
is created later).
Determine the dn of the virtual host in the DC tree. This will be used in the associatedDomain
attribute.
For example, dc=smallorg,dc=com
.
Create a text file for the ldif entries.
For example, /tmp/smallorg.ldif.
Create an ldif entry for the domain specifying the dn
, its object class attributes,
the ou
, and the associatedDomain
.
The object classes are always organizationalUnit
and domainRelatedObject
.
For this example, dn=ou=SmallOrg,o=MyISP,c=US
and the associatedDomain
is smallorg.com
(note that the associatedDomain
is specified as a domain name and not as a distinguished name).
Here is what would be entered into the ldif file:
dn: ou=SmallOrg,o=MyISP,c=US ou: SmallOrg associatedDomain: smallorg.com objectClass: organizationalUnit objectClass: domainRelatedObject objectClass: top
Create ldif entries for the People
, Groups
, and Services
nodes in the domain.
These nodes all have organizationalUnit
object classes, and are used to contain other data for the virtual domain.
The following would be added to the end of the example ldif file:
dn: ou=People,ou=SmallOrg,o=MyISP,c=US ou: People objectClass: organizationalUnit dn: ou=Groups,ou=SmallOrg,o=MyISP,c=US ou: Groups objectClass: organizationalUnit dn: ou=Services,ou=SmallOrg,o=MyISP,c=US ou: Services objectClass: organizationalUnit
Save the file.
You may run ldapadd now to add the entries, or continue with the other procedures and add all of the required ldif entries to the file first.
To run ldapadd on the host where the Solaris ISP Server directory server is running:
% cd /opt/SUNWconn/bin % ./ldapadd -D cn=admin,o=myISP,c=US -w secret -f /tmp/smallorg.ldif |
After you create the domain in the OSI tree, you can add entries for the users of that domain below the ou=People
node. For detailed information on creating users, see Chapter 5, Making Subscriber Directory Entries.
The ispSubscriber
attributes specific to the virtual host are ispContentDirectory
and ispAuthorizedServices
.
ispContentDirectory
specifies the user's directory on the virtual host. The directory is relative to the value
of the ispDirectoryRoot
of the service the user accesses (see "Entries for Services in the Domain" for information on this
attribute). The ispContentDirectory
is used by the Sun Internet FTP Server and the Sun WebServer to determine where to store content that a user
puts on the virtual host.
If a virtual host only has one authorized user (an administrative account for a hosted web site, for example), you may wish to create a
single subscriber in the domain who only has access to the web site directory. In this case, the ispContentDirectory
could be "/" to indicate that when the user logs in to the Sun Internet FTP Server his or her root directory will be the ispDirectoryRoot
of the FTP site.
ispAuthorizedServices
specifies the distinguished names of services in the virtual domain that the user can access
(if authentication is required). An example dn value for this attribute is ispVersion=2.1,ou=SUNWhttp,ou=Services,ou=SmallOrg,o=MyISP,c=US
.
The following example shows an ldif entry for a subscriber that could be part of the www.smallorg.com
domain described
in other sections:
dn: cn=John Doe (jdoe),ou=People,ou=SmallOrg,o=MyISP,c=US objectClass: top objectClass: person objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: ispSubscriber cn: John Doe sn: Doe givenName: John userId: jdoe userPassword: secret uidNumber: 19995 gidNumber: 101 ispContentDirectory: jdoe/public_html ispauthorizedServices: ispVersion=1.0,ou=SUNWftp,ou=Services,ou=SmallOrg,o=MyISP,c=US mail: jdoe@myisp.com
Each service that the users in the virtual domain can log in to requires an ispService
entry beneath the ou=Services
node in the domain. The only service bundled with the Solaris ISP Server software that can authenticate users in virtual domains
is Sun Internet FTP Server, so that is the only service covered in this section.
The Sun WebServer uses the ispDirectoryRoot
of a Sun Internet FTP Server entry to determine where to store or find user personal content.
If users have personal web site directories, create an ispService
entry for a Sun Internet FTP Server service even if a virtual FTP site
has not been created.
Determine the directory root used by the Sun Internet FTP Server or Sun WebServer service on the virtual host.
This example will use /var/hosts/smallorg/public/. Beneath this directory there may be a ./pub directory for anonymous FTP, web site content, and user directories in ./username/public_html.
Create a text file for the ldif entries.
For example, /tmp/smallorg.ldif.
Add an ou
entry for SUNWftp to the Services
node for the
domain.
dn: ou=SUNWftp,ou=Services,ou=SmallOrg,o=MyISP,c=US ou: SUNWftp objectClass: organizationalUnit
Add an ispService
entry beneath the SUNWftp
entry. The
dn of this entry is the ispVersion
attribute plus the dn of the SUNWftp
entry you just added.
The ispVersion
attribute is always "1.0."
dn: ispVersion=1.0,ou=SUNWftp,ou=Services,ou=SmallOrg,o=MyISP,c=US ispVersion: 1.0 cn: SUNWftp objectClass: ispService ispDirectoryRoot: /var/hosts/smallorg/public
Save the file.
Run ldapadd now to add the entries.
To run ldapadd on the host where the Solaris ISP Server directory server is running:
% cd /opt/SUNWconn/bin % ./ldapadd -D cn=admin,o=myISP,c=US -w secret -f /tmp/smallorg.ldif |
For reference, the listing below shows the complete contents of an ldif file with all of the example entries used in this Appendix:
dn: dc=smallorg,dc=com dc: smallorg objectClass: domain dn: dc=www,dc=smallorg,dc=com dc: www objectClass: domain associatedName: ou=SmallOrg,o=myISP,c=US dn: ou=SmallOrg,o=MyISP,c=US ou: SmallOrg associatedDomain: smallorg.com objectClass: organizationalUnit objectClass: domainRelatedObject objectClass: top dn: ou=People,ou=SmallOrg,o=MyISP,c=US ou: People objectClass: organizationalUnit dn: ou=Groups,ou=SmallOrg,o=MyISP,c=US ou: Groups objectClass: organizationalUnit dn: ou=Services,ou=SmallOrg,o=MyISP,c=US ou: Services objectClass: organizationalUnit dn: cn=John Doe (jdoe),ou=People,ou=SmallOrg,o=MyISP,c=US objectClass: top objectClass: person objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: ispSubscriber cn: John Doe sn: Doe givenName: John userId: jdoe userPassword: secret uidNumber: 19995 gidNumber: 101 ispContentDirectory: jdoe/public_html ispauthorizedServices: ispVersion=1.0,ou=SUNWftp,ou=Services,ou=SmallOrg,o=MyISP,c=US mail: jdoe@myisp.com dn: ou=SUNWftp,ou=Services,ou=SmallOrg,o=MyISP,c=US ou: SUNWftp objectClass: organizationalUnit dn: ispVersion=1.0,ou=SUNWftp,ou=Services,ou=SmallOrg,o=MyISP,c=US ispVersion: 1.0 cn: SUNWftp objectClass: ispService ispDirectoryRoot: /var/hosts/smallorg/public